[StepSecurity] ci: Harden GitHub Actions (#5190)

## Summary

This pull request is created by
[StepSecurity](https://app.stepsecurity.io/securerepo) at the request of
@robertbastian. Please merge the Pull Request to incorporate the
requested changes. Please tag @robertbastian on your message if you have
any questions related to the PR.
## Security Fixes

### Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security
risk. GitHub's Security Hardening guide recommends pinning actions to
full length commit.

- [GitHub Security
Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies)


## Feedback
For bug reports, feature requests, and general feedback; please email
[email protected]. To create such PRs, please visit
https://app.stepsecurity.io/securerepo.


Signed-off-by: StepSecurity Bot <[email protected]>

Signed-off-by: StepSecurity Bot <[email protected]>

.github/workflows/artifacts-build.yml

@@ -58,24 +58,24 @@ jobs:
     needs: credentials
     runs-on: "ubuntu-latest"
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     # GCP Boilerplate for jobs in main or forked repository (needs credentials)
     - id: gcp-auth
       if: github.ref != 'refs/heads/main' || github.repository != 'unicode-org/icu4x'
       name: "Authenticate to Google Cloud with JSON Credentials"
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
       with:
         credentials_json: '${{ secrets.ICU4X_GCP_SA_KEY }}'
     - id: gcp-auth-main
       if: github.ref == 'refs/heads/main' && github.repository == 'unicode-org/icu4x'
       name: "Authenticate to Google Cloud with Workload Identity Provider"
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
       with:
         workload_identity_provider: "projects/66042061814/locations/global/workloadIdentityPools/icu4x-gha-pool1/providers/icu4x-gha-provider1"
         service_account: "[email protected]"
     - name: "Set up Google Cloud SDK"
-      uses: google-github-actions/setup-gcloud@v2
+      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
 
     - name: Build docs
       run: >
@@ -108,31 +108,31 @@ jobs:
     needs: credentials
     runs-on: "ubuntu-latest"
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     # GCP Boilerplate for jobs in main or forked repository (needs credentials)
     - id: gcp-auth
       if: github.ref != 'refs/heads/main' || github.repository != 'unicode-org/icu4x'
       name: "Authenticate to Google Cloud with JSON Credentials"
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
       with:
         credentials_json: '${{ secrets.ICU4X_GCP_SA_KEY }}'
     - id: gcp-auth-main
       if: github.ref == 'refs/heads/main' && github.repository == 'unicode-org/icu4x'
       name: "Authenticate to Google Cloud with Workload Identity Provider"
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
       with:
         workload_identity_provider: "projects/66042061814/locations/global/workloadIdentityPools/icu4x-gha-pool1/providers/icu4x-gha-provider1"
         service_account: "[email protected]"
     - name: "Set up Google Cloud SDK"
-      uses: google-github-actions/setup-gcloud@v2
+      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
 
     - name: Install doxygen-awesome
       run: |
         git clone --depth 1 https://github.com/jothepro/doxygen-awesome-css.git
 
     - name: Build docs
-      uses: mattnotmitt/[email protected]
+      uses: mattnotmitt/doxygen-action@411df0c62acb5b96b8a93d93a7bf4b753c47ea05 # v1.9.5
       with:
           doxyfile-path: 'tools/config.doxy'
 
@@ -155,24 +155,24 @@ jobs:
     needs: credentials
     runs-on: "ubuntu-latest"
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     # GCP Boilerplate for jobs in main or forked repository (needs credentials)
     - id: gcp-auth
       if: github.ref != 'refs/heads/main' || github.repository != 'unicode-org/icu4x'
       name: "Authenticate to Google Cloud with JSON Credentials"
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
       with:
         credentials_json: '${{ secrets.ICU4X_GCP_SA_KEY }}'
     - id: gcp-auth-main
       if: github.ref == 'refs/heads/main' && github.repository == 'unicode-org/icu4x'
       name: "Authenticate to Google Cloud with Workload Identity Provider"
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
       with:
         workload_identity_provider: "projects/66042061814/locations/global/workloadIdentityPools/icu4x-gha-pool1/providers/icu4x-gha-provider1"
         service_account: "[email protected]"
     - name: "Set up Google Cloud SDK"
-      uses: google-github-actions/setup-gcloud@v2
+      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
 
     - name: Build docs
       run: |
@@ -201,27 +201,27 @@ jobs:
     needs: credentials
     runs-on: "ubuntu-latest"
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     # GCP Boilerplate for jobs in main or forked repository (needs credentials)
     - id: gcp-auth
       if: github.ref != 'refs/heads/main' || github.repository != 'unicode-org/icu4x'
       name: "Authenticate to Google Cloud with JSON Credentials"
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
       with:
         credentials_json: '${{ secrets.ICU4X_GCP_SA_KEY }}'
     - id: gcp-auth-main
       if: github.ref == 'refs/heads/main' && github.repository == 'unicode-org/icu4x'
       name: "Authenticate to Google Cloud with Workload Identity Provider"
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
       with:
         workload_identity_provider: "projects/66042061814/locations/global/workloadIdentityPools/icu4x-gha-pool1/providers/icu4x-gha-provider1"
         service_account: "[email protected]"
     - name: "Set up Google Cloud SDK"
-      uses: google-github-actions/setup-gcloud@v2
+      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
 
     - name: Install Dart
-      uses: dart-lang/setup-dart@v1
+      uses: dart-lang/setup-dart@0a8a0fc875eb934c15d08629302413c671d3f672 # v1.6.5
       with:
         sdk: 3.4.0-204.0.dev
 
@@ -254,17 +254,17 @@ jobs:
     name: WASM Demo
     runs-on: "ubuntu-latest"
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     # GCP Boilerplate for jobs in main repository
     - id: gcp-auth
       name: "Authenticate to Google Cloud with Workload Identity Provider"
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
       with:
         workload_identity_provider: "projects/66042061814/locations/global/workloadIdentityPools/icu4x-gha-pool1/providers/icu4x-gha-provider1"
         service_account: "[email protected]"
     - name: "Set up Google Cloud SDK"
-      uses: google-github-actions/setup-gcloud@v2
+      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
 
     - name: Init packages
       run: |
@@ -320,21 +320,21 @@ jobs:
     # Example "debugging" workflow: https://github.com/echeran/icu4x/actions/runs/296714990
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     # GCP Boilerplate for jobs in main repository
     - id: gcp-auth
       name: "Authenticate to Google Cloud with Workload Identity Provider"
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
       with:
         workload_identity_provider: "projects/66042061814/locations/global/workloadIdentityPools/icu4x-gha-pool1/providers/icu4x-gha-provider1"
         service_account: "[email protected]"
     - name: "Set up Google Cloud SDK"
-      uses: google-github-actions/setup-gcloud@v2
+      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
 
     # Cargo-make boilerplate
     - name: Install cargo-make
-      uses: taiki-e/install-action@v2
+      uses: taiki-e/install-action@64e4e2f995104968c78bd697b253d55bf557af66 # v2.41.11
       with:
         tool: [email protected]
 
@@ -353,7 +353,7 @@ jobs:
         gsutil -m cp -rn gs://${{ env.GCP_MAIN_BUCKET_ID }}/gha/benchmarks/perf/${{ matrix.component }}/* benchmarks/perf/${{ matrix.component }}
 
     - name: Store benchmark result & create dashboard
-      uses: rhysd/[email protected]
+      uses: rhysd/github-action-benchmark@c3efd4d54319dbc90622069cc273cba59b46abbf # v1.15.0
       with:
         name: Rust Benchmark
         tool: 'cargo'
@@ -404,21 +404,21 @@ jobs:
       group: bench-memory-${{ matrix.os }}
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     # GCP Boilerplate for jobs in main repository
     - id: gcp-auth
       name: "Authenticate to Google Cloud with Workload Identity Provider"
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
       with:
         workload_identity_provider: "projects/66042061814/locations/global/workloadIdentityPools/icu4x-gha-pool1/providers/icu4x-gha-provider1"
         service_account: "[email protected]"
     - name: "Set up Google Cloud SDK"
-      uses: google-github-actions/setup-gcloud@v2
+      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
 
     # Cargo-make boilerplate
     - name: Install cargo-make
-      uses: taiki-e/install-action@v2
+      uses: taiki-e/install-action@64e4e2f995104968c78bd697b253d55bf557af66 # v2.41.11
       with:
         tool: [email protected]
 
@@ -469,21 +469,21 @@ jobs:
       group: bench-binsize
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     # GCP Boilerplate for jobs in main repository
     - id: gcp-auth
       name: "Authenticate to Google Cloud with Workload Identity Provider"
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
       with:
         workload_identity_provider: "projects/66042061814/locations/global/workloadIdentityPools/icu4x-gha-pool1/providers/icu4x-gha-provider1"
         service_account: "[email protected]"
     - name: "Set up Google Cloud SDK"
-      uses: google-github-actions/setup-gcloud@v2
+      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
 
     # Cargo-make boilerplate
     - name: Install cargo-make
-      uses: taiki-e/install-action@v2
+      uses: taiki-e/install-action@64e4e2f995104968c78bd697b253d55bf557af66 # v2.41.11
       with:
         tool: [email protected]
 
@@ -568,24 +568,24 @@ jobs:
       group: "pages"
       cancel-in-progress: true
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       # GCP Boilerplate for jobs in main repository
       - id: gcp-auth
         name: "Authenticate to Google Cloud with Workload Identity Provider"
-        uses: google-github-actions/auth@v2
+        uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
         with:
           workload_identity_provider: "projects/66042061814/locations/global/workloadIdentityPools/icu4x-gha-pool1/providers/icu4x-gha-provider1"
           service_account: "[email protected]"
       - name: "Set up Google Cloud SDK"
-        uses: google-github-actions/setup-gcloud@v2
+        uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
       - name: Download artifacts
         run: |
           mkdir website
           gsutil -m cp -rn gs://${{ env.GCP_MAIN_BUCKET_ID }}/gha/* website || true
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v2
+        uses: actions/upload-pages-artifact@a753861a5debcf57bf8b404356158c8e1e33150c # v2.0.0
         with:
           path: 'website'
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v1
+        uses: actions/deploy-pages@f27bcc15848fdcdcc02f01754eb838e44bcf389b # v1.2.9